CrowdStrike: AI-driven cyberattacks surged 89% in just one year
CrowdStrike released its 2026 Global Threat Report on Monday, documenting an 89% year-over-year increase in AI-enabled adversary operations. The report, drawn from intelligence on more than 280 named threat actors, details how artificial intelligence accelerates attacks and creates new vulnerabilities.
The average “breakout time” from initial breach to lateral movement fell to 29 minutes in 2025, a 65% increase in speed over 2024. One observed breakout took just 27 seconds, with data exfiltration starting within four minutes of initial access in a separate case. Malware-free detections accounted for 82% of activity, continuing a trend toward credential theft and identity-based intrusions.
Adversaries are targeting AI systems directly. Attackers injected malicious prompts into generative AI tools at more than 90 organizations to steal credentials and cryptocurrency. They exploited vulnerabilities in AI development platforms to deploy ransomware and published rogue AI servers to intercept sensitive data.
On the offensive side, Russia-linked group FANCY BEAR deployed LAMEHUG, an LLM-enabled malware using the Qwen2.5-Coder-32B-Instruct model to generate reconnaissance commands. PUNK SPIDER used AI-generated scripts to accelerate credential dumping and destroy forensic evidence. North Korea-linked FAMOUS CHOLLIMA leveraged AI-generated personas to scale insider threat operations.
Nation-state activity escalated significantly. China-linked cyber operations rose 38% in 2025, with the logistics sector seeing an 85% increase in targeting. Sixty-seven percent of vulnerabilities exploited by China-nexus actors delivered immediate system access, while 40% targeted internet-facing edge devices.
North Korea-linked incidents surged more than 130%, with FAMOUS CHOLLIMA’s activity more than doubling. PRESSURE CHOLLIMA’s $1.46 billion cryptocurrency theft was flagged as the largest single financial heist ever reported.
Cloud-focused intrusions rose 37% overall, with a 266% increase from state-backed actors targeting cloud environments. Forty-two percent of vulnerabilities were exploited before public disclosure as attackers weaponized zero-day flaws. CrowdStrike President Michael Sentonas stated: “Prompts are going to be the new malware.”